Wednesday, July 15, 2009

The Chain is as strong as the weakest link in the chain

The title describes a Security approach. According to this approach the easiest and most plausible Security breach is by usage of the weakest link.
Lessons learned from few Penetration Tests I conducted, support the cited above approach.

It is true that there is no way to assure absolute Security (For deeper explanation why you can look at a well known security Guru, Bruce Schnirer's web site).

Any Security mechanism is breakable by someone who has expertise and spends a lot of resources (including time).
But it is also possible to breach Security without expertise and by spending only few resources for a very short time: just exploit the weakest link.

As part of a Penetration Test, I always looked for simple unsophisticated methods to penetrate instead of penetrating by usage of very sophisticated methods.
These methods could be used by anyone, unlike the sophisticated ones, which could be used only by a limited group of very talented experts.

What is the weakest link?
According to my experience it is the human factor.
For example, let's explore Passwords mechanisms. You may deploy a very sophisticated Password pattern, a frequent password change cycle enforced automatically and a reasonable Suspension mechanism for inactive users, but if users will hang on their screens (or on other visible objects), notes including their passwords, these good mechanisms are futile. Let alone a pattern demonstrated by an incident I experienced while conducting a Penetration Test.
Prior to that meeting, I discovered a user who has authorization far beyond his Role requirements. In front of the CSO I asked him for his password, just to demonstrate that it is possible to misuse the unneeded authorization. Instead of keying the password, he wrote it on a note and gave it to me. I am quiet sure that a lot of employees, lacking Security awareness training would give their passwords to unauthorized people (A well known Phishing method is sending an e-mail message including a bank logo or e-Bay's PayPAL logo and asking the recipient to type them into a form). If the unauthorized people are or pretend to be employees of a respectful organization (e.g. a research institute a market analysis', a well known Software brand or a consulting company), than the probability of disclosing information is higher.
For additional information on the effect of representing a respectful organization read about a classical Psychological experiment conducted by Milgram many years ago.
This experiment is depicted in a YouTube video.

How weak is the weakest link?
It is even weaker than my expectations. Recently I read e-week's Brian Prince post titled: You are the weakest link, and found that in a report surveying 967 end users (The survey was sponsored by IronKey) roughly half the surveyed said that their corporate data security policies are largely ignored by both employees and management. The policy violation acts severity degree is varied.
For example 61% admitted to copying confidential data and transferring the information to non-corporate device and more than 20% turned off security such as anti-virus software, desktop firewalls and enterprise devices encryption.
My Take
It is clear that the weakest chain is human beings. Precious and complicated Security software is not enough.
The question to be asked is why?
Part of the answer is human nature, but the other part could be reduced or eliminated.
As found in the survey more than half (58%) of the surveyed said that they felt their companies did not provide adequate training on following the rules. 46% said the policies were to complex to understand.
The key for good enough Security are awareness, awareness and awareness.
Adequate and down to earth Security Policy may be also helpful .


Avi Rosenthal said...

The following comment was left in Linkedin group

There is an old saying, "You can't fix stupid." In the case of IT Security, it is usually "willful ignorance" because end users will always go down the path of least resistance.

They have a job to do any ANYTHING that helps them do that job faster, even if it puts company data and security at risk, they will do.

End users are not equipted to do a real risk / cost analysis so they always under estimate (again even willfully ignoring all evidence to the contrary) to get their job done.

I think we all have known at one time or another the VP or even CIO / CEO who have asked to have all their passwords never expire etc etc.

That is why I am a strong beliver that IT Security Training never works.

The only way to successfuly enforce IT Security Policies is to find a technologoy that enforces it seemlessly and does not create any additional work for IT or the Business.

IT Governance is not worth the paper it is written on without technological enforcement and monitoring.
Posted by Alan Freiman

Avi Rosenthal said...

The comment can be summarized in the following bullets: is the only means for enforcing Security policies.
I am not aware of any technology which can enforce Security Policies by itself. Let alone enforcing it in seamless way.Enforcement is a mix of technologies and awareness.

2. End Users tend to ignore Security policies in order to do their job more easily.
The example I gave in my post as well as other parts of the comment refer to IT department employees and not to End Users, so if the view is valid it is related to both IT and non-IT employees.
The survey I quoted, supports this view, at least partially. The real questions are: Are Security Policies too complex so people do not understand them? and in what degree they disrupt doing jobs?
3. In my opinion awareness + technology may be helpful if and only if Policies are not too complex and a proper balance is achieved between the level of Security and the need to perform jobs.

About Me

Share on Facebook